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METHOD AND SYSTEM FOR SECURE 
TRANSMISSION 
OF INFORMATION OVER 
TELECOMMUNICATION NETWORKS 

5 

GENERAL TECHNICAL FIELD . 

The invention relates to an automated method for the secure transmission 
of confidential information, optionally incorporating identification codes, over 
two disjointed and optionally insecure telecommunication networks, in 
10 particular Internet and the telephone network. 

More precisely, the invention relates to a method avoiding the transit, 
storage and reconstitution of confidential information, in its entirety, even 
transiently, by one or more intermediaries between a sender and a recipient of 
said confidential information. 
15 The method also allows a neutral intermediary to construct a trace of the 
history of the use of the confidential information, anonymously and yet still 
being unable to reconstitute it in its entirety. 

The invention is particularly suitable for transmitting a payment card or 
authentication code for securing payments, principally for confidential remote 
20 access, by transmitting a password or equivalent. 
STATE OF THE ART 

Transmitting confidential information, in particular identification codes, over 
public networks and particularly payment card numbers or passwords, is 
essential for finalizing remote transactions, in particular commercial, or to 
25 identify oneself, over said networks. 

Users, in particular on-line consumers, are of course reluctant to transmit 
confidential information, in particular their payment card number or 
passwords, over the Internet or over another telecommunication network. 
Such reluctance is a significant brake 
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on the growth of transactions, in particular commercial, over these networks. 
Users' fears are in particular: 

- on the one hand, the fear that their confidential data will be pirated via 
eavesdropping on the network during the transmission of said confidential 

5 information from the sender to the recipient. Pirating may also be carried out 
by a third party which would thus recover the confidential information; 

- on the other hand, the fear of pirating of confidential information on the 
server of an intermediary, for example a service provider, a dealer, or a 
trusted third party, or simply by the dishonesty of said intermediary. 

10 Both these fears are summed up by the apprehension that ill-intentioned 
persons could re-use this confidential information, for example a payment 
card number or a password, to impersonate the genuine user. 

Thus, despite the installation of systems to encrypt data during its transfer, 
the mistrust remains. 

15 Moreover, in the case of on-line purchases, for example, the fears of on- 
line goods or service providers are in particular: 

- on the one hand, the fear of excessive rejections of on-line purchases 
due to fraud, and sometimes to the dishonesty of certain users, in particular 
on-line consumers; 

20 . . - on the other hand, the fear of attacks on their servers, by ill-intentioned 
third parties who want to recover all sorts of identifying information, such as 
passwords or payment card numbers. Security measures are never sufficient 
and thousands of payment card numbers, passwords, and every kind of 
confidential information available on a server are a very attractive target for 

25 intruders. 

The solutions provided for this problem are of three types: 
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- either data encryption, at least during transmission, via protocols or, 
optionally, various hardware well known to a person skilled in the art, for 
example, but not limited to, the SSL or "Secure Socket Layer" transaction 
protocol or TLS "Transport Layer Security" according to the English 

5 terminology generally used by a person skilled in the art, the SSL and TLS 
protocols themselves using various ciphering algorithms, authentication 
protocols and certificate generation systems. 

- or authentication methods with prior registration with a trusted third party 
or equivalent, and which generally require the disclosure of personal 

10 information. The user must then be confident in the ability of these service 
providers and intermediaries to ensure authentication security. Such 
examples of methods are disclosed in the documents US 6 012 144 and FR 2 
806 229, for example. 

- or methods termed 'proprietary', which require loyalty by both buyer and 
15 seller to a technical system, for example a card reader or proprietary key 

generation systems, and which require installation of a software programme, 
plug-in or hardware item. This is in particular the case in the method disclosed 
in the document WO 96/29667. 

Early encryption solutions did not respond to user fears as only the 

20 transmission is secure and their confidential information always circulates as a 
part (even if, for example, the Internet protocol breaks down the information 
into packets, the latter being reconstituted and reconstitutable) and are stored 
as a single part. For example, the SSL secure transmission protocol provides 
good data transmission protection but, on the one hand it is not impossible to 

25 decrypt the SSL secure data transmission and, on the other hand, it leaves 
the problem of sending and receiving the data untouched. Furthermore, users 
do not necessarily acknowledge the security of the system, as it has been 
shown, in particular on the Internet, that such systems, based on the entire 
transmission and by one or more channels using identical technology, were a 

30 source of fraud. 
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The second type of solution, involving pre-registration, are unsuited to the 
user, as they are not universal and require him to make the effort of 
registering. The second type of solution is no longer suited to suppliers of 
goods and services which seek solutions where the flow is uninterrupted, i.e. 
5 the transaction is fluid, in particular for the user. 

Finally, solutions of the third type require a wholesale enrolment effect, in 
particular from consumers and frequently, they also require an investment in 
money or time by the user to master the installation or use. Finally, these 
• solutions have frequently also proved very costly for the service provider, 
1 0 dealer or authenticating organization. 

Moreover, it has been noted that sending confidential information by fax, 
telephone, SMS, mail or other means of remote communication, electronic or 
other, reassures some users although the risk of pirating confidential 
information in these cases is very high and that these solutions do not resolve 
1 5 the information storage problem. 

In conclusion, sending confidential information over a network carries a 
risk during the following stages: 

- entering this information on a single terminal, as the terminal (keyboard, 
screen, etc.) may be spied upon; 

20 - transmission over the network, in particular the start and finish, as the 
information, even encrypted, can be captured then either be reused 
directly or decrypted; 

- the storage of this confidential information with an intermediary, a trusted 
third party or supplier of goods or services, as this server may be a weak 

25 point in the security, despite the precautions taken and even if an 
encryption algorithm, especially if it is of the reversible type, is applied; 

- the registration phases are particularly vulnerable, as in addition to the 
confidential information, personal information is frequently sent. 



PRESENTATION OF THE INVENTION. 

The invention proposes to overcome the drawbacks set out earlier. 

An aim of the invention is to ensure the transmission of confidential 
information which does not detract from the smooth flow of the transaction 
5 and is very user-friendly. 

Another aim of the invention is to propose a technique for guiding the user 
through the various stages of sending the information. 

Another aim of the invention is to provide a method which does not require 
prior registration with the neutral intermediary providing anonymous transfer of 
10 at least one part of the confidential information. It is therefore partially 
opposed to the concept, familiar to a person skilled in the art, of the 'trusted 
third party 1 in the sense that the trusted third party is frequently the depositary 
of personal information which may also be very confidential. 

Another aim of the invention is to provide a method which does not 
15 intrinsically require special facilities for the user, other than the software, 
hardware and means of communication over the networks implemented 
during the transaction. Hence the securing of the transaction is not carried out 
to the detriment of the smooth flow of the transaction. 

Another aim of the invention is to allow improved identification of the user 
20 while the confidential information is being sent, while at the same time 
maintaining simplicity of use and ensuring the user remains anonymous. 

According to this invention, the security is ensured by separating the 
information into two complementary parts which are insignificant when 
separated, transported over two disjointed networks via a neutral intermediary 
25 and requiring neither registration of the user with said neutral intermediary, 
nor installation by the user of software and hardware other than those 
necessary for connection over the two telecommunication networks. 
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To this end, the invention proposes a method for secure transmission of 
confidential information, in particular an identification code, to an 
authenticating organization or any other end recipient, termed "authentication 
organization", and authorized to receive this information during a transaction 
5 with a user. This method is characterized in that the user separates the 
confidential information which he wants to send to the authentication 
organization into two complementary parts which are valueless taken 
separately. 

This uses a disjointed security technique allowing simultaneous and 

10 entirely automated transmission of two complementary parts of an item of 
confidential information over two different networks. This technique is a very 
sure means of transmitting confidential information if the parts are valueless 
taken separately and if it is impossible for a third party to reassemble the 
parts, which is enabled by the method implemented by the invention. 

15 The method implemented by the invention sets up an intermediary, called 
"neutral intermediary", which sends anonymously and without storing the data 
capable of being reconstituted, a part of the confidential information which is 
not usable on its own, in particular an identification code, via a network called 
"the second network", technologically distinct from the network called "the first 

20 network", which is used to send the other complementary part of said 
confidential information directly or indirectly to the authenticating organization. 

In this method, the data stored by the neutral intermediary is stored using 
non-reversible encryption techniques called "digital fingerprinting", which is 
well known to a person skilled in the art, such as the MD5 algorithm 

25 ("Message Digest 5" using English terminology and referenced RFC1321) or 
the SHA1 algorithm ("US Secure Hash Algorithm 1" using English terminology 
and referenced RFC3174), or any other one-way encryption algorithm. Thus 
the neutral intermediary cannot reconstitute the information which it is storing. 
This 'anonymous identification' 
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is carried out by comparing the stored digital fingerprints with the digital 
fingerprint for a combination identical to that of the data transmitted. This 
allows the method to construct an anonymous record of the transactions by 
storing, for example, the digital fingerprint of a combination of the user's 
5 details on the second network with the supplementary part of the confidential 
information also received by the neutral intermediary over the second 
network. Statistical data of every kind may be associated to said fingerprint for 
the purposes of classification, analysis and scoring. 

The user sends a first part of the confidential information either directly to 

10 the authenticating organization, or via an intermediary, for example, a supplier 
of goods or services over a first network, for example, the Internet. 

At the request of the neutral intermediary, itself requested directly or 
indirectly by the authenticating organization, the user then sends the second 
complementary part of the confidential code to the neutral intermediary over a 

15 second network disjointed from the first, using, for example, different 
communication technologies or protocols, the neutral intermediary then 
sending the part of the code which it has received to the authenticating 
organization. 

Exchanges with the authenticating organization and, if necessary, with the 
20 suppliers of goods or services party to the transaction with the user are 
secured point to point by coding and mutual recognition techniques familiar to 
a person skilled in the art, such as the exchange of certificates or keys, SSL 
transmission, TLS, etc. This secure network between two points is called the 
"third network". The first and second networks are networks connected to the 
25 user, whereas the third network is a network between the neutral 
intermediary, the authenticating organization and, optionally, suppliers of 
goods and services party to the transaction. 

This separation of the information into two complementary parts, 
transmitted via disjointed communication channels and different technologies, 
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such as the Internet and the telephone, is easily understood by the user, who 
sends a part of his confidential information via distinct telecommunication 
means. Of course, he is reassured by this. 

The two networks have disjointed data entry means, which may be, for 
5 example, but not limited to, a computer keyboard, the keys on a telephone, a 
voice recognition system, a card reader, etc. This avoids pirating or monitoring 
of the data input by a unique terminal and in particular a computer keyboard. 

The invention is advantageously complemented by the following 
characteristics, taken individually or in any of their combinations as technically 
10 feasible: 

- transmission of the first part of the confidential information to the 
authenticating organization is carried out according to the following stages: 

- the user sends the first part of the confidential information to a supplier of 
goods or services over the first network; 

15 - the supplier then sends the first part to the organization over a third network; 

- at least one session identifier, shared between at least two of the parties to 
the transaction, allows the authenticating organization to reconstitute 
automatically the confidential information which the user sends to it; 

- each session identifier is generated by at least one of the parties to the 
20 transaction; 

- the neutral intermediary contacts the user over the second network 
automatically, in order to retrieve the second complementary part of the 
confidential information; 

- the communication over the first network between the user and the 
25 authenticating organization or the supplier of goods or services is transferred 

automatically to the neutral intermediary for the transaction; 
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- the user contacts the neutral intermediary over the network in order to send 
the second complementary part of the confidential information associated with 
a session identifier; 

- recall coordinates of the user over the second network are sent to the neutral 
5 intermediary by the authenticating organization over the third network; 

- recall coordinates of the user over the second network are sent to the neutral 
intermediary by the supplier of goods or services over the third network; 

- recall coordinates of the user over the second network are sent to the neutral 
intermediary by the user over the first network; 

1 0 - the third network is a secure point to point network; 

- the user is guided automatically by the neutral intermediary through the 
various stages of the method for sending the second part of the confidential 
information over the first and/or second network respectively, in a coordinated 
and optionally synchronized manner; 

15 - the neutral intermediary establishes a transactions log; 

- the log established by the neutral intermediary is anonymous; 

- the anonymity of the log is ensured by a non-decipherable coding of a 
combination of the user's coordinates over the second network and the 
second part of the confidential information sent by the user to the neutral 

20 intermediary over the second network; 

- the neutral intermediary sends an advice linked to the user's transaction log 
over the network; 

- the neutral intermediary requests the user to supply, in addition to the 
confidential information to be sent to the organization, a personal code which 

25 is used during subsequent transactions and which identifies the user; 

- the personal code is sent via a secure point to point type network to a 
second authenticating organization with which the user has previously 
registered or to which the user is known; 

- the personal code is a digital and/or voice code entered on a terminal 
30 connected to the second network; 
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- the neutral intermediary stores, in an uncoded or reversibly encrypted 
manner, the user's coordinates on the network; 

- the neutral intermediary stores, in an uncoded or reversibly encrypted 
manner, the second complementary part of the confidential information 

5 supplied by the user over the network; 

- the neutral intermediary contacts the user again after the latter is 
disconnected from the first network, said connection to the first network being 
re-established once the second part of the confidential information has been 
sent to the neutral intermediary. 

10 The main advantages of the invention are, but not limited to, the following: 

- securing of the transmission of information via two distinct channels 
using two disjointed networks implementing, for example, two different 
communication technologies or protocols, 

- the engendering in the user the confidence to send confidential 
15 information, in particular his payment card number or his password, 

whilst allowing him to view the process ensuring security, 

- the ease of use for the user by automating the process and the use of 
interfaces providing guidance, optionally coordinated over both networks 
in real time, 

20 - securing the entry of confidential information by the use of two disjointed 
data entry terminals, 

- identification of the user by connecting means forming the neutral 
intermediary's server to the user, 

- the possibility of building up an anonymous transaction log by using 
25 digital fingerprinting, 

- the possibility of a second identification, optionally by a second 
authenticating organization in order to reinforce the level of identification, 

- the security and confidentiality of transmissions between the neutral 
intermediary and the authenticating organization or, optionally, a service 

30 provider or dealer by using point to point transmission. 
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The invention also relates to a system for implementing the method 
according to the invention. 
PRESENTATION OF THE FIGURES 

Other characteristics, objectives and advantages of the invention will 
5 emerge from the description which follows, which is purely for illustration and 
must be read in conjunction with the attached drawings, in which: 

- Figure 1 represents diagrammatically the exchanges of information 
between a user, a supplier of goods or services, for example a dealer, an 
authenticating organization, for example a bank, and the neutral 

10 intermediary; 

- Figure 2 represents diagrammatically the various stages of a method for 
securing exchanges of information between a user, a supplier of goods or 
services, for example a dealer, an authenticating organization, for example 
a bank, and the securization intermediary; and 

15 - Figure 3 represents diagrammatically a possible sequence for the various 
stages of a method for securing exchanges of information between a user, 
a supplier of goods or services, for example a dealer, an authenticating 
organization, for example a bank, and the neutral intermediary. 
DETAILED DESCRIPTION 

20 Figure 1 represents diagrammatically the exchanges of information 
between a user 1, a supplier of goods or services 2, an authenticating 
organization 3 and the neutral intermediary 4 during any on-line transaction 
over a telecommunication network. At this point, it should be noted that the 
transit of part of the confidential information via the supplier of goods or 

25 services is not essential to the transmission of the information. This 
transmission may be made directly to the authenticating organization. In fact, 
as the security and anonymity of the transmission is based on exchanges 
between the user 1, the neutral intermediary 4 and the authenticating 
organization 3, the channel for transmitting the confidential information from 

30 the other party is less important. 
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Figure 1 shows the communication networks comprising two disjointed 
networks and using, for example, different communication technologies or 
protocols forming the parts 100 and 200, and a point to point private or secure 
network forming the part 300. 
5 The double arrows 102,105 and 106 symbolize the exchanges of 
information between the supplier of goods or services 2 and the neutral 
intermediary 4, the neutral intermediary 4 and the authenticating organization 
3, and the supplier of goods or services 2 and the authenticating organization 
3 respectively. The link 102 is optional, as all the necessary information for 

10 activating the transmission over the second network can transit via the 
authenticating organization 3. 

The first possible part 100 of the telecommunication network allows 
communication between the user 1 and the supplier of goods or services 2 
represented by the double arrow 101, and between the user 1 and the neutral 

15 intermediary 4 during exchanges 103. It is preferably of the Internet type and 
optionally, but not necessarily, secured. The first part 100 may therefore 
support any type of character which has to be transmitted by the user 1. The 
first part 100 is necessarily disjointed from the part 200 and uses, for example, 
different communication technologies or protocols from those used by the part 

20 200. 

In the following developments, Internet designates all computer networks 
100 from computer terminal to computer terminal. The title specifically 
includes every kind of private or public network, for example, Intranet or 
Extranet. 

25 The second possible part 200 of the telecommunication network allows 
communication between the user 1 and the neutral intermediary 4 during the 
exchange 104. It is preferably a telephone network. The second part 200 must 
be disjointed from the part 100 and uses, for example, different 
communication technologies or protocols from those used by the part 100. 

30 The telephone network is, in the current state of the art, composed 
essentially of telephone terminals with number keys. Thus, 
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the data sent by the terminals is digital in the current state of the art. Changes 
in the state of the art may soon allow the transmission of any type of 
character. 

Therefore, at the end of the network 100 situated close to the user 1, the 
5 possible system for implementing the method according to the invention 
comprises, on the one hand, means 11 for connecting to the network 100 and 
on the other hand, means 12 for connecting to the network 200. 

The means 1 1 communicate with means 21 situated at the supplier of 
goods or services 2 and means 41 situated at the neutral intermediary 4, in 
1 0 order to allow the exchanges 1 01 and 1 03 respectively. 

The means 12 communicate with means 42 situated at the neutral 
intermediary 4, in order to allow the exchanges 104 over the part 200 of the 
network. 

The means 1 1 comprise, for example, a computer terminal called the "web 
1 5 terminal", as the network 100 is preferably of the Internet type. 

The means 12 comprise, for example, means" forming a fixed line 
telephone connection or a mobile telephone, as the network 200 is preferably 
a fixed or mobile telephone network. 

The telephone 12 is advantageously a key 'phone and able to send DTMF 
20 (Dual Tone Multi-Frequency) codes, according to the English terminology 
generally used, or any other protocol or method available on said means to 
send part of the confidential information. 

The method according to the invention can thus be transposed to systems 
which already exist, as mobile 'phones are able to send DTMF codes and the 
25 vast majority of fixed line telephones are key 'phones and use voice 
frequencies allowing DTMF codes to be sent. 

In the case where the means 12 of user 1 would not allow the transmission 
of DTMF codes, a variant of the method according to the invention uses voice 
recognition to acquire the second part of the confidential information. 
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At the end of the network 100 situated close to the supplier of goods or 
services 2, the system comprises means 21 forming a server on the network 
100. The means 21 comprise, for example, a server called a "web server". 
The supplier of goods or services 2 can thus exchange data 101 with the 
5 user 1 . 

The third part 300 of the telecommunication network is preferably of a type 

capable of transmitting point to point secure data. 

By way of non-limitative example, this may be a network of the VPN 

(Virtual Private Network) type, a private network, a point to point secured 
10 transmission protocol which may use, for example, messages signed by a 

MAC (Message Authentication Code), which is a seal calculated using an 

algorithm, for example of the DES (Data Encryption Standard) type and 

combined with a sealing key exchanged with the data. It can also be SSL or 

TLS transmissions, with an exchange of certificates between the two parties. 
15 Other point to point secure transaction methods are of course known to a 

person skilled in the art and may be applicable to the method. Optionally, new 

security methods can replace currently known protocols. 

Therefore, the system at the supplier of goods or services 2 can comprise 

means 23 capable of managing point to point transactions 102, 106. 
20 Yet again, the method according to the invention can be transposed to 

prior art systems, as most suppliers of goods or sen/ices, in particular on the 

Internet, are equipped with such servers. Frequently, they already use point to 

point secure transfer protocols. 

If the supplier of goods or services 2 does not have means 23 capable of 
25 managing these transactions, it will entrust the service to a third party 

approved by the authenticating organization 3. Said third party 
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will previously have set up suitable transfer protocols with the authenticating 
organization 3. 

The means 21 and 23 belonging to the authenticating organization 3 are 
managed by the means 22. 
5 Systems at the ends of the network 300 situated at the authenticating 
organization 3 and the neutral intermediary 4 comprise means 33 and 43 to 
process the point to point secure transfer information flow. 

The authenticating organization 3 also has means 31 forming the 
authentication server, as well as means 32 allowing management of the set of 
10 means 31 and 33. 

It will be recalled at this point that the term "authenticating organization" 
refers to a banking or financial organization and, more generally, to an 
organization authorized to carry out any authentication. 

The neutral intermediary 4 is connected to the means 12 over the network 
15 200 via means 42 forming the server. The means 42 comprise, for example, a 
telephone server, such as IVR (Interactive Voice Response) means, or their 
equivalent, which are well known to a person skilled in the art. 

The means 42 are capable, for example, of making telephone calls 104, 
making delayed calls, filtering DTMF codes, and distributing messages and 
20 recording calls, as well as all options offered by computer systems coupled to 
telephony for exchanging information with the user 1. The means 42 are 
known to a person skilled in the art. 

The neutral intermediary 4 is also connected to means 1 1 over the network 
100 via means 41 forming the server. The means 41 comprise, for example, a 
25 web server. 

Finally, the neutral intermediary 4 is connected to the means 33 over the 
network 300 via means 43 forming the point to point server. 

A complementary part of the confidential data can be sent via the supplier 
of goods and services 2 and this is often done, but it is not essential to the 
30 functioning of 
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the present method, which is not based on the security of said transmission 
channel, and can therefore advantageously be done directly to the 
authentication organization 3. 

In the present description, the term "confidential information" designates all 
5 types of confidential alphanumeric, digital or binary codes and/or information 
linked to a secret identification or transmission. This may be, for example, but 
not limited to, a payment card number or an authentication code specific to a 
security system. 

Preferentially, the part of the confidential information sent by the telephone 
10 system is digital in the current state of the art. The other part of the 
confidential information is preferably alphanumeric if this is supported by the 
networks. 

The terms "start of the confidential information" and "end of the confidential 
information" or, more generally, "part of the confidential information", 
15 designate two disjointed parts of the confidential information. The disjointed 
parts have no meaning when they are taken separately and cannot be 
reconstituted in a method according to the invention, as they pass by different 
paths and are reconstituted only by the authenticator organization 3. 

The size of the different parts is immaterial, as both parts are strictly 
20 complementary and have no meaning in terms of identification or 
confidentiality when they are taken separately. Therefore, it is not essential 
that they are the same size. 

Preferentially, in one possible implementation of the method, two parties 
are used, i.e. the supplier of goods or services 2 and the neutral intermediary 
25 4, for sending confidential information between the user 1 and the 
authenticating organization 3. 

The supplier of goods or services 2 and the neutral intermediary 4 are in 
communication with the user 1 via two communication modes using, for 
example, different communication technologies or protocols, the Internet 
30 network 100 and the telephone network 200 respectively. 
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Thus, each sends one of the two parts of the confidential information to the 
authenticating organization 3 via the network 300. 

The information ftows exchanged between the various parties are 
represented diagrammatically by the double arrows 101, 102, 103, 104, 105 
5 and 106. 

The flows are described in more detail in Figure 3, which uses the same 
numbering as Figures 1 and 2 for identical items. 

Figures 1 and 3 represent possible implementation modes for the 
invention, in which the various players are different entities. 
10 However, it is possible for the transmission path from user 1 to the 
authenticating organization 3 via the supplier of goods or services 2 to be 
simplified if the confidential information is sent directly between the user 1 and 
the authenticating organization 3. In this case, the means belonging to parties 
2 and 3 are grouped together in the authenticating organization 3. In this 
1 5 case, the different servers presented as useful for carrying out the method can 
function on the same means or even be integrated into a single programme. 
The transfer modes between the various players remain the same as those 
shown in Figures 1 and 3. 

In fact according to this method, it is the path via the neutral intermediary 4 
20 which is essential to ensure the securing of the transmission of the 
confidential information. 

No prior registration of the user 1 is necessary in any of the modes for 
implementing the method according to the invention. 

The invention can be used for e-commerce transactions and, more 
25 generally, for any data authentication and transfer method. 

Advantageously, the method comprises stages according to which: 
- The user 1 separates the confidential information into two complementary 
and distinct parts, where neither can be used independently of the other; 
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- The user 1 sends each of the two parts of the code via distinct 
communication means, via the network 100 to the supplier of goods and 
services 2, and via the network 200 to the neutral intermediary 4. In the 
present description, one part of the confidential information is sent to the 
5 supplier of goods and services 2, for example, via an Internet network and the 
other part of the confidential information is sent to the neutral intermediary 4, 
for example, via a telephone network. Advantageously, the information sent 
over the networks is not reconcilable by a third party. This makes pirating and 
eavesdropping of the communications worthless. 

10 - The supplier of goods and services 2 and the neutral intermediary 4 send the 
authenticating organization 3 the part of the code which has been sent to 
them by the user 1. 

Therefore, in the method according to the invention, only the 
authenticating organization 3 retrieves all the information. Neither the supplier 

15 of goods or services 2 nor the neutral intermediary 4 have access to all the 
information. 

The two parts of the information, once reunited by the authenticating 
organization 3, continue to only pass through private or secure networks 
which are deemed inaccessible. 

20 Therefore, no intermediary knows all the confidential information, and none 
can store all the confidential code. 

The invention also relates to the use which may be made by the neutral 
intermediary 4 of the digital fingerprints of pairs formed by the details of user 1 
on the network 200, for example the telephone number, and a non-significant 

25 part of the confidential data received by the neutral intermediary from the user 
1. 

During each transaction, the neutral intermediary 4 can store these digital 
fingerprints in a database or equivalent, for example included in means 44. 
Said digital fingerprints are used to build at the neutral intermediary 4 a 
30 transactions log, which can be used 
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not only for statistical and reporting purposes, but also, for example, for the 
purpose of qualifying potential client risk, depending on satisfactory payment 
or non-payment of the transaction during earlier attempts. 

The data is stored in the form of a digital fingerprint, for example by using 
5 a mechanism of the MD5 or SHA1 type. 

The log thus created or the statistical data associated with said log can 
optionally be provided to the supplier of goods or services 2 or to the 
authentication organization 3 if a user sends to the neutral intermediary 4 a 
pair made up of a same information part and by using the same details over 
10 the network 200 and the digital fingerprint of which is stored by the neutral 
intermediary 4. Thus, the intermediary 4 can indicate to the supplier of goods 
and services 2 if, for example, payment problems are associated to this pair. 

Likewise, it is possible to indicate to the supplier of goods or services 2 or 
to the authenticating organization 3 whether it is the first time that such a pair 
15 has been entered. 

Therefore, the transactions which present a risk are indicated to the 
supplier of goods or services 2 or the authentication organization 3. 

In any case, the fact that a telephone number, which is relatively easy to 
trace, must be provided in the preferred mode of implementation, discourages 
20 a certain type of dishonest client. 

The neutral intermediary 4 does not store uncoded coordinates of user 1 
on the network 200, other than coordinates on a list of banned numbers, such 
as, for example, public telephone boxes or numbers used by potential 
fraudsters, or deemed to be at risk. Potentially, it will be impossible to send 
25 any information from these coordinates. 

It is therefore possible to secure transactions and to reduce insurance 
premiums for policies which the supplier of goods and services 2 is frequently 
induced to contract in the situation according to the prior art. 

The various stages of the method according to the invention will now be 
30 described in detail. The following example is one integration possibility 
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but does not cover the entire scope of the possible applications of the method. 
For example, this example involves payment for on-line purchases by 
payment card, but it could also involve any authentication, not necessarily for 
a purchase. Thus the code to be sent does not have to be a payment card 
5 number. 

Figure 2 shows a mode for implementing a transaction over a first network 
of the Internet type and a second of the telephone type. 

Figure 3 shows diagrammatically and with the same reference numbers, 
the flow of information being exchanged between the various parties while 
10 implementing the method according to the stages in Figure 2. 

At stage 201 of Figure 2, after having selected, for example, items in the 
catalogue of a supplier of goods or services 2, the user 1 decides to approve 
his shopping basket. 

At stage 202, during the order approval process, the supplier of goods or 
15 services 2 requests the user 1 to send it the information necessary for 
despatch of and payment for the ordered goods. 

Among this information, the supplier of goods or services 2 asks only, for 
example, for the first eight digits of the payment card number of the user 1 . 
The transaction is preferably carried out in secure SSL type mode. 
20 At stage 203, the user 1 sends the information requested by the supplier of 
goods or services 2. 

At stage 204, the supplier of goods or services 2 generates a session 
identifier. This is an identifier specific to the transaction. It will allow the 
various parties to exchange information relating to this transaction. This 
25 identifier, according to a variant, is generated by the authenticating 
organization 3 in response to the request from the supplier of goods or 
services 2, during the stages 205 or 207 detailed below. 

At this stage, the supplier of goods or services 2 stores the data, pending 
payment, in a database, for example included in the means 22, with, for 
30 example, the session identifier for the key. 
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At stage 205, the supplier of goods or services 2 sends the authenticating 
organization 3 the first part of the payment card number, accompanied by the 
session identifier if it generated same, together with any other data necessary 
to finalize the transaction with the authenticating organization 3. The other 
5 necessary data is, for example, the payment card expiry date, the amount of 
the transaction, etc. 

The data necessary for the authenticating organization 3 is sent in point to 
point secure mode as shown in Figure 1 . 

At stage 206, the authenticating organization 3 stores the data sent by the 
10 supplier of goods or services 2 pending additional information from the neutral 
intermediary 4, using, for example, the session identifier and the identifier of 
the supplier of goods or services 2 for the key. 

Stage 207 runs simultaneously with stages 205 and 206 according to 
which the user 1 is redirected, according to means well known to a person 
15 skilled in the art, to the site of the neutral intermediary 4, by passing the 
session identifier as a parameter. 

According to one variant, if the supplier of goods or sen/ices 2 already has 
the telephone number of user 1 or, if it wants to send the intermediary 4 other 
information regarding the transaction, such as the language to be used or the 
20 number of characters to be retrieved, it can send this in parallel via a point to 
point secure link 102. 

At stage 208, if no telephone number has been sent to it, the neutral 
intermediary 4 asks the user 1 for a number at which the latter can be 
contacted immediately. This has to be a fixed or mobile telephone number. 
25 If necessary, and for reasons of convenience and interactivity, the 
telephone number can be requested from user 1, if it has not been sent earlier 
during stage 202 and sent by the user 1 at stage 203. In this case, the 
number is sent to the transaction intermediary 4 during stage 207. 
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At stage 209, the neutral intermediary 4 manages everything related to the 
telephone call and this in particular includes detecting incorrect number format 
or determining that the number is on a list of numbers at risk. In particular, 
these will be numbers of telephone boxes on public roads, for example, or 
5 numbers used during previous attempts at fraud, or deemed to be risky. The 
neutral intermediary 4 also manages the detection as to whether the line is 
busy and ascertaining that numbers or international dial codes are non- 
existent, etc. 

Appropriate responses are provided in each case. 
10 For example, user 1 is asked to correct the telephone number. A differed 
and/or voice-mode call back or a cancellation of the transaction, can be 
provided. 

The neutral intermediary 4 also checks whether the user 1 employs this 
telephone as access to the Internet network 100. In this case, the user 1 is 
15 asked to disconnect from the Internet. He is then called back automatically, for 
example five minutes later, and guided through stages 210 to 212 in, for 
example, voice mode. 

The voice guidance stage then ends with the despatch of an email, with an 
address - or URL (Uniform Resource Locator), according to English 
20 terminology - included, which allows his transaction to be continued once he is 
reconnected. According to possible variants, this electronic message or email 
(in English terminology) is sent on completion of stages 213 to 220, or be 
replaced by a link during stage 209. 

According to a possible variant, if the payment card number of user 1 is 
25 not validated by the authenticating organization 3, then the neutral 
intermediary 4 calls back user 1. 

At stage 210, the user 1 receives a telephone call from the neutral 
intermediary 4. He is guided on his telephone terminal and/or his web 
terminal. The messages may be coordinated and synchronized between the 
30 two networks by the means operated by the neutral intermediary 4. 

At stage 211, the user 1 enters on his terminal 12, in our example the 
telephone, the additional digits of the numbers entered over the 
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network 100, in our example the last eight digits of his payment card number. 

He confirms the entry of the numbers on his terminal 12, for example by 
pressing the '#' key. 

If the telephone 12 of user 1 is not a voice frequency equipment, then, in 
5 one variant of the method, he can enter the numbers via a voice recognition 
system. 

During stage 212, the neutral intermediary 4 verifies that it has in fact 
received the correct number of digits, i.e. in our example eight, and the 
telephone connection over the network 200 is terminated. It optionally prompts 
10 the user 1 to correct errors, for example the entry of a number. 

The digital fingerprint of the pair formed by the telephone number + the 
last eight digits of the payment card number is stored and used to identify the 
user 1 anonymously during subsequent usage. 

As a variant, during the first transaction with the neutral intermediary 4, the 
15 user 1 enters an additional code called the personal code, either by repeating 
a code which moreover will be supplied to him, or by composing a code of his 
choice during the first transaction. 

The digital fingerprint of the pair formed by the telephone number + the 
personal code is stored and used to identify the user 1 anonymously during 
20 subsequent usage. 

In another variant, the personal code is replaced by a voice signature. At 
the end of the transaction, the user 1 is asked to pronounce his name. This 
voice signature is stored and may be used in the event of a dispute. 

In yet another variant, the personal code is replaced by a voiceprint, either 
25 selected by the user or predefined. 

During subsequent uses of the pair formed by the telephone number + the 
last eight digits of the payment card number, recognized automatically by 
comparison with the digital fingerprint, the personal code will be requested 
again and validated by comparing it with the digital fingerprint of the pair 
30 formed by the telephone number + the personal code. 
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At stage 213, the neutral intermediary 4 sends to the authenticating 
organization 3 the last eight digits received and the session number in point to 
point secure mode. 

During stage 214, the authenticating organization 3 receives the data. 
5 Using the session identifier, the authenticating organization 3 retrieves the first 
eight digits of the payment card number which were stored earlier during 
stage 206. 

During stage 215, the complete payment card number is reconstituted by 
the authenticating organization 3. 

10 At stage 216, the authenticating organization 3 validates or does not 
validate the transaction and generates a response. 

In 217, the response is sent in parallel by point to point secure 
transmission 106 to the supplier of goods and services 2 and optionally to the 
neutral intermediary 4 via a point to point secure transmission 105. 

15 Then, during stage 218, the neutral intermediary 4, optionally sends the 
telephone number used for the transaction to the supplier of goods and 
services 2, via a point to point secure transmission 102. This is a valid 
telephone number linked to the user 1 , which therefore constitutes a trace of 
the user 1. This number is not stored uncoded at the neutral intermediary 4 

20 except in cases of fraud. It is stored incompletely, for example with two digits 
masked in a trace file held by the neutral intermediary 4 for billing purposes. It 
is also stored as a digital fingerprint in the means forming the database of the 
neutral intermediary 4. 

In 219, the neutral intermediary 4 terminates the dialogue with the user 1. 

25 The user 1 is then redirected, according to means well known to a person 
skilled in the art, to the site of the supplier of goods and services 2, by passing 
the session identifier as a parameter. 

Finally, in 220, the supplier of goods and services 2 terminates the 
transaction with the user 1 , for example by confirming the transaction. 

30 As indicated above in the description, according to one preferred variant, 
the neutral intermediary 4 can store a fingerprint of the telephone number 
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+ the last eight digits of the payment card number, enabling it to compile an 
anonymous log of the transactions and associate statistical data to it. 

Furthermore, the neutral intermediary 4 may also send in real time to the 
supplier of goods or services 2 as well as to the authenticating organization 3 
a score or various statistics relating to the history of transactions using this 
pair of telephone number + last eight digits of the payment card number. The 
information thus sent can allow the supplier of goods or services 2 to decide in 
real time to terminate or continue the transaction. Fraud is thus limited for the 
supplier of goods or services 2 and also for the authenticating organization 3. 

Thus, the method according to the invention has numerous advantages, in 
particular the fact that it uses conventional transmission channels which are 
easily accessible, such as 

- transmissions over the open Internet network 100, to which access is 
relatively easy. These transmissions can be optionally secure. 

- transmissions called point to point between two certified sites which can 
pass, either via the Internet network using data sealing methods, 
encryption and/or exchange of keys or certificates, or over other networks, 
in particular private, guaranteeing point to point confidentiality 300. Said 
transmissions are private between recognized professionals 
(authenticating organizations, in particular the banks and their approved 
service providers). 

- finally links terminating on the telephone network 200. 

Only the final recipient, the authenticating organization 3 has access to all 
the confidential information. 

The intermediary 4 is neutral and knows nothing about the user except his 
telephone number and it has no need to store this telephone number uncoded 
or reversibly encrypted. 
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Advantageously, the neutral intermediary 4 can call users 1 throughout the 
world. In this case, advantageously, the size of the network 200 is transparent 
for each user 1. The network 200 is therefore matched to the network 100 
which is often on a world scale, in particular for the Internet. 
5 Ail the stages of the method are automated, without human intervention 
and are interactive. 

In one preferred implementation, throughout the method, the user 1 
remains in simultaneous contact on the Internet, via the means 41 of the 
neutral intermediary 4 and the telephone link 200, with the means 42 of the 
10 neutral intermediary 4. 

Transactions are extremely secure, owing to the system of calling back the 
user 1 by the neutral intermediary 4. 

The user who is distrustful can memorize the telephone number which has 
called him back if he has a calling number display, or obtain it from the 
15 telephone operator service in order to verify the identity of the calling server. 



